Cyber & Data Protection Limited’s Cyber Risk Assessment – what is it?
Think of security as a ladder. Cyber Essentials is the basic minimum security standard all organisations should have, and it lets your suppliers and customers know that you take it at least that seriously. Cyber Essentials is step one on our security ladder. The Cyber Risk Assessment looks at where you are and gives you costed plans how to get you to your desired level. It starts at step three and your destination is the highest step your budget and need allows for.
Tell me more
Our CRA is an in-depth assessment of an organisation’s cyber risk posture. Our security experts advise and consult with the board of directors to agree upon a desired security position out of Good, Better, or Best. We then conduct the assessment using a defined framework based on the CIS Controls, and produce a comprehensive report and roadmap detailing the remedial actions and cost required to achieve the desired standard.
Our assessment combines multiple frameworks. In addition to the 18 CIS controls, when considering the detail in each element, we have also aligned to ISO27001:2015 where possible, Cyber Essentials +, and Government issued advice (specifically relating to Microsoft 365 configuration guidelines for secure configuration).
Combining these frameworks and standards provides a robust and thorough approach to a Cyber security assessment and gap analysis. We also offer a Cyber Risk Assessment Light and what’s included in both light and full service offers is detailed in the table below.
Challenges
Deciding what level of risk is acceptable to an organisation can be difficult without the right guidance. And if no standard of measurement is identified, a risk assessment can become complicated, time-consuming, and harder to effectively measure this risk. If conducted internally, this risk assessment may not be truly independent and accurate assessment, and clear presentation of findings, as well as defining and implementing a fully–costed remediation plan, can also demand significant resource. All of this can lead to slow pace and hindered progression when aspiring to achieve cyber security goals.
Service Capabilities
- Includes a detailed Cyber Security Capability Maturity Model, against a defined framework developed around the CIS controls.
- During the assessment, initial fact finding, and consultation with sponsors takes place. This involves understanding the business profile, sector, size, and impact of a security incident.
- Our security experts consult with the organisation’s senior leadership team to clarify and confirm the desired Security standard (out of Good, Better, or Best) that they aim to reach across all the controls. This assessment, as a gap analysis, is therefore graded against that standard.
- We appreciate that each organisation is unique and that in some cases there may be specific controls within the assessment framework that the business, after consideration, requires a different standard to be adhered to, and so we can adjust the reporting to accommodate these. This can also be done for specific security requirements.
- An Executive Summary Report is produced for presentation of key findings to the board, detailing the anticipated costs of remediation.
- A detailed findings report, stating the current cyber security standard and remedial actions required to reach the desired standard, is then presented as a roadmap for the organisation.
- An example of the report produced can be provided upon request.
Discovery Scan* | Cyber Risk Light | Cyber Risk Full | |
---|---|---|---|
Network Vulnerability Scan | ✓ | ✓ | ✓ |
Malware Defences | ✓ | ✓ | |
Email & Web Browser Protections | ✓ | ✓ | |
Inventory & Control of Enterprise Assets | ✓ | ✓ | |
Inventory & Control of Software Assets | ✓ | ✓ | |
Secure Configuration of Enterprise & Software Assets | ✓ | ✓ | |
Account Management | ✓ | ✓ | |
Access Control Management | ✓ | ✓ | |
Continuous Vulnerability Management | ✓ | ✓ | |
Data Recovery | ✓ | ✓ | |
Network Infrastructure Management | ✓ | ✓ | |
Service Provider Management | ✓ | ✓ | |
Review of Penetration Testing | ✓ | ✓ | |
Data Protection | ✓ | ||
Audit Log Management | ✓ | ||
Network Monitoring & Defence | ✓ | ||
Security Awareness & Skills Training | ✓ | ||
Application Software Security | ✓ | ||
Incidence Response Management | ✓ |
*as part of another service